On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote: > * Martin Monperrus: >> Would it make sense to keep track of valid https support for the >> secondary mirrors? > > Actually the issue still holds: The mirror team needs to repoint > mirrors to other servers at times and thus the certificate there > wouldn't include those redirected mirrors.
The mirror team don't control the DNS for secondary mirrors. The individual mirror admins could be doing that, but it seems unlikely to me. > I am aware that there is a privacy concern involved, like what packages > get downloaded, but appart from that that's the only knowledge to gain > from unencrypted http traffic. https doesn't provide protection against correlation of download size to packages downloaded, so it doesn't have much advantage over http for package download privacy. -- bye, pabs https://wiki.debian.org/PaulWise
